For the past year, I’ve been examining why companies need to take a portfolio approach to their cybersecurity. By this, I mean that, similar to a financial portfolio, companies simply can’t have everything — there are too many threats out there, so companies need to allocate their dollars wisely to ensure the most important aspects of their organization are protected.During this series, I’ve relied on the framework from the National Institute of Standards and Technology (NIST), which covers five functions companies must address in cybersecurity:IdentifyProtectDetectRespondRecoverBut I’ve also created my recommendations on how to determine the right portfolio for your business, with another five step guide:Determine needsAllocate spending according to riskDesign your portfolioChoose the right productsRebalance as neededMy overall point throughout these articles has been that no company, and no technology is invulnerable: threats will occur and they will succeed. Prevention alone is not enough. But the businesses that are most successful at counteracting the threats to their specific crown jewels will be those best positioned in today’s volatile and ever-evolving cybersecurity landscape.Recently, I had the chance to speak with George Kurtz, the CEO of CrowdStrike, a leading cybersecurity technology firm. My conversation with him provides yet another angle on how to fit your portfolio to your specific needs.
In this piece, I’ll examine his recommendations on how to approach cybersecurity generally and then in a subsequent piece, I’ll look at how CrowdStrike fits into the larger cybersecurity landscape.Think Like Your Enemy Kurtz explained his company’s philosophy for cybersecurity succinctly. “At CrowdStrike, we like to take an adversary-centric approach,” he said. By this he means, in many ways, assessing your business through the eyes of potential attackers so you can determine what is most valuable.
Kurtz recommended that before a company buys any cybersecurity product, leaders should follow an approach similar to what I’ve been advocating:Determine your needs so you can understand what your crown jewels are and what’s most valuable in terms of protection.Understand the threat landscape and what adversaries are targeting your particular organization.Identify what it will take to protect against various scenarios through threat modeling (you can do this by understanding how your attackers will go after you and where your presence is the largest and you are most vulnerable).Finally, understand the level of maturity of the organization needed to handle these threats.”Depending on whether you’re in financial services, manufacturing, retail or government, you’re going to have different adversaries targeting you due to varying interests in your particular company,” Kurtz said. “In some cases, it might be intellectual property, in other cases it might be user information. So from my perspective, what I like to do is to really understand who would want access to the company.
“You can make these determinations by asking questions like:Who are the adversaries that are going to come after us?How are they going to come after us?How effective are they?”You need to do this, so that you understand whether your attackers are bringing bayonets or bazookas to the battlefield.” Kurtz told me. “If you have a firewall and a website, there’s not a lot that you can necessarily do from the outside, you have to protect that piece. If you have an ecommerce site and a large cloud and you have all these interactions, you have third-party risk. When you have third-parties that are providing services to you, that’s a much different threat model, because then you have to ask what if someone actually attacks the third-party provider and we’re using their software in our architecture? What if someone taints the supply chain and actually puts rogue code into our code base? You have to come up with these scenarios to ensure you’re protected.”